Global | Assessment of Chinese industrial espionage risks

China is likely to deepen and broaden its industrial espionage efforts globally over the coming year. New export controls by the US and its allies mean that a window of opportunity to develop its high-tech industries will close.

This assessment was issued to clients of Dragonfly’s Security Intelligence & Analysis Service (SIAS) on 29 March 2023.

• Chinese industrial espionage is likely to become more bold in targeting private technology companies and research institutes operating in China and abroad
• China has over the past two decades sought to steal key technologies and underpinning IP from governments and firms
• Chinese threat actors are likely to include a mix of state agencies, academic organisations and private companies

Chinese officials said earlier this month that Beijing needs to ‘move faster toward greater self-reliance’. China is most likely to target firms operating in key technology sectors, such as semiconductors, telecommunications, advanced engineering and artificial intelligence.

Strategy likely to shift

Since China’s reopening in early 2023 several of our clients have asked us about the tactics and targeting of Chinese industrial espionage. There is incomplete data on this issue. But open source reporting suggests that Chinese intelligence officers mostly direct these, though private foreign and Chinese citizens are often involved. The number of reported China-related espionage cases has significantly increased over the past two decades. And acquiring commercial technology makes up the majority (51%) of recently reported espionage cases.

Chinese state agencies are likely to intensify their operations in the wider Asian region in the medium term. With more firms operating in sensitive sectors having reduced their presence in mainland China, Chinese threat actors will need to target companies abroad.
Key technologies are likely to be more easily accessible in countries such as South Korea, Japan, Europe and Southeast Asia compared to the US due to them having comparatively fewer safeguards. Chinese state-owned or controlled entities are likely to use both illegitimate and legitimate means such as investments and acquisitions to achieve this.

Targeted sectors

Industrial espionage is likely to focus on several key industries. The graphic below, sets out those in which China intends to quickly develop self-sufficiency, as stated in the country’s 14th Five Year Plan and the Made in China 2025 Plan.

Foreign technology firms in these sectors are likely to be of particular interest to Chinese state and private threat actors this year. The Chinese government has made significant progress in developing its self-sufficiency in key areas. But in the face of further export controls on China’s national security industries by the US and its allies over the past year, Beijing is likely to intensify its focus on military or intelligence related technologies. This includes specific engineering parts for aviation, missiles, ships and supercomputers as well as software for encryption, big data analysis and artificial intelligence.

Threat actors

China’s state agencies have an established capability to access and collect highly sensitive or secret information. The government agency that is most likely to conduct the majority of industrial espionage against civilian targets is the Ministry of State Security (MSS). The MSS operates domestically and internationally and reports to the highest levels of the country’s party-state. It remains well-resourced and has been involved in several espionage cases to develop the country’s self-sufficiency in key technologies.

MSS and other agencies are also likely to use non-intelligence officers to access IP. Private actors have played a predominant role in industrial espionage. There is often no clear delineation between the public and private sectors in China. Previous incidents suggest that China uses a ‘military-civil’ fusion between private companies, public universities, military and security agencies to build its economy and military. At least 15 public universities in China have been involved in cyberattacks, illegal exports or espionage, press reporting suggests.

Chinese businesses and other private actors are also likely to try to gain an economic advantage by stealing IP or technology. But their capabilities are more limited than those of state actors. The Chinese government rarely punishes its citizens’ economic espionage, at least in strategic sectors. This is also probably because it often sees such activities to be in its wider state interest. Many perpetrators avoid prosecution in foreign countries and return to China or they directly conduct espionage activities there. This includes competitors hiring third parties to conduct surveillance, cyber operations or blackmail to obtain data.

Industrial espionage is often carried out using a trusted insider or through cyber attacks. Based on open source data on recent cases, the Chinese state agencies frequently follow a similar pattern. The majority of recruitment or engagement with human sources has taken place in China. This has included people that have lived, worked or visited the PRC. Below we outline the common tactics used by Chinese threat actors to acquire commercial technology and confidential information.

• Targeting & research
  • Intelligence officials used open source data to identify individuals with access to technology prioritised by the Chinese government
• Engaging the target / seeding personnel
  • An employee was approached by an individual claiming to be from a Chinese science institution and invited them to give a university lecture, paid for and a small stipend was also provided
• Introduction to handlers
  • The individual is introduced to senior MSS intelligence officers, who appear to be senior scientists. These senior officers suggested further collaboration and further potential trips
  • Once a relationship is established the MSS officers attempt to elicit information around current work and projects
• Access to data
  • Data is often shared to verify the access of the employee to the right information. This can include email chains, hard drive directories or copies
  • Once the information is verified the intelligence officers move quickly to access and copy hard drives, laptops or printed copies made available to them

This is based on a handful of cases reported by the FBI and a US-based think tank.

Image: Guards walk by a display of military hardware at an exhibition highlighting Chinese President Xi Jinping’s years as leader as part of the upcoming 20th Party Congress in Beijing, China, on 12 October 2022. Photo by Kevin Frayer via Getty Images.